CVE-2026-33935
Authentication Bypass Lockout in MyTube via Shared State Exploit
Publication date: 2026-03-27
Last updated on: 2026-04-01
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| franklioxygen | mytube | to 1.8.72 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-307 | The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-33935 is a vulnerability in the MyTube application, a self-hosted downloader and player for video websites. Prior to version 1.8.72, the application exposes three publicly accessible password verification endpoints that share a single file-backed login attempt state stored in a JSON file. This shared state tracks failed login attempts and cooldown periods.
An unauthenticated attacker can exploit this by repeatedly sending invalid authentication requests to any of these endpoints, which increments a shared failed attempt counter and triggers progressively longer cooldown periods. This can eventually lock out all users from password-based authentication for up to 24 hours. The attacker can maintain this denial of service indefinitely by timing failed attempts to keep the lockout active.
How can this vulnerability impact me? :
This vulnerability can cause a persistent denial of service against password-based authentication for both administrator and visitor accounts in the MyTube application. Legitimate users will be unable to log in because the attacker can lock accounts by triggering failed login attempts that increase the lockout duration up to 24 hours.
Because the failed login attempt state is shared across multiple authentication endpoints, failed attempts on any endpoint affect all others, amplifying the impact. The attacker does not need to be authenticated and can maintain the lockout indefinitely by carefully timing failed attempts.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring repeated failed authentication attempts to the MyTube application's password verification endpoints. Specifically, look for a high volume of failed login requests to any of the following publicly accessible endpoints: POST /api/settings/verify-password, POST /api/settings/verify-visitor-password, and POST /api/settings/verify-admin-password.
Since the failed login attempts increment a shared counter and trigger cooldown periods, detection can involve checking the login-attempts.json file for unusually high failedAttempts counts or long cooldown waitUntil timestamps.
Suggested commands to detect this on your system include:
- Use network monitoring tools (e.g., tcpdump, Wireshark) to filter HTTP POST requests to the affected endpoints and count failed attempts.
- Example using curl to test endpoint response status codes (401 Unauthorized or 429 Too Many Requests in vulnerable versions):
- curl -X POST http://<mytube-server>:5551/api/settings/verify-admin-password -d '{"password":"wrongpass"}' -H 'Content-Type: application/json' -v
- Check the contents of the login-attempts.json file (usually located in the backend data directory) to inspect failedAttempts and waitUntil values:
- cat /path/to/MyTube/backend/data/login-attempts.json
Automated scripts can be written to parse this JSON file and alert when failedAttempts exceed normal thresholds or when waitUntil timestamps indicate active cooldowns.
What immediate steps should I take to mitigate this vulnerability?
The immediate and most effective mitigation is to upgrade MyTube to version 1.8.72 or later, where this vulnerability has been fixed.
If upgrading is not immediately possible, consider the following steps to reduce the risk:
- Implement stricter rate limiting on the authentication endpoints to prevent rapid repeated failed login attempts. The fix introduces multiple scoped rate limiters for different authentication routes, which can be backported or configured.
- Restrict access to the password verification endpoints by network controls such as firewall rules or IP whitelisting to limit exposure.
- Monitor and alert on abnormal failed login patterns to detect and respond to potential abuse quickly.
Additionally, review and apply the code changes from the patches that improve authentication recovery flows, error handling, and rate limiting as described in the commits addressing CVE-2026-33935.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
CVE-2026-33935 allows an unauthenticated attacker to cause a persistent denial of service by locking out administrator and visitor accounts from password-based authentication for up to 24 hours or indefinitely. This vulnerability affects the availability of user accounts and could disrupt legitimate user access.
While the provided context and resources do not explicitly mention compliance with standards such as GDPR or HIPAA, the denial of service against authentication mechanisms could impact compliance indirectly. For example, GDPR requires ensuring availability and integrity of personal data processing systems, and HIPAA mandates safeguarding access to protected health information. An attacker-induced lockout could hinder authorized access, potentially violating availability requirements.
However, there is no direct information in the provided text linking this vulnerability to specific compliance failures or regulatory penalties.